[Samba] Samba4, ZFS and FreeBSD

Andrew Bartlett abartlet at samba.org
Wed Sep 25 23:20:57 MDT 2013

On Thu, 2013-09-26 at 14:55 +1000, Petros wrote:
> Hi all,
> I am in the process of finding the best way to use Samba4 as an AD  
> under FreeBSD and ZFS.
> The following is based on own research, google, mail archives, a bit  
> of source code etc. So please correct me if I am wrong.
> 1. ZFS is using NFSv4 ACLs.
> 2. NFSv4 ACLs are modelled with NTFS (Windows) ACLs in mind.
> 3. Samba4 started with a new ntvfs file server but that was abandoned  
> (or delayed?) to get samba4 released
> 4. Samba4 was released with s3fs as a default (the "old" Samba3 smbd)
> 5. s3fs is relying on POSIX ACLs which are not implemented on ZFS
> 6. There is a libsunacl library, a wrapper around FreeBSD ZFS NFSv4 ACLs
>     I can install an experimental module but cannot provision AD with s3fs.
> 7. The provisioning with ntvfs seems to work
> For me, there are two uncertainties:
> a) Will be ntvfs supported in the future? Or will it be the default later?

No, and No.  We support the ntvfs file server with the existing
functionality, but are not developing it.  Essentially we are keeping it
as a technology demonstration, as well not breaking any existing users. 

> b) Will s3fs gain support for NFSv4 ACLs?

smbd has NFSv4 ACLs

> If a) is the case, I am happy to proceed with using ntvfs.
> If b) is the case, I may try to use ZFS on volume management level  
> (for samba4 jails only, I am running other "stuff" on the FreeBSD  
> boxes with ZFS).
> I may create ZFS volumes and create UFS volumes, with POSIX support.
> Later I may revert them to ZFS, if s3fs provides ZFS NFSv4 ACL support.
> The other option would be to run it with ntvfs for now, switching to  
> s3fs when it is "ZFS ready".
> I do not know who has any plans in any directions. Of course, "Solaris  
> people" (Oracle, illumos) may have interests and plans in this area too.
> I am happy to become a FreeBSD beta tester for any kind of FreeBSD ZFS  
> support. But I am afraid I am not good enough to code it myself. I am  
> a sysadmin who reads C code frequently, it does not make me a good  
> coder..

The issue is essentially that the python-based provision code need to
detect the use of zfs, load the zfsacl module in the generated smb.conf,
and instead of testing simple posix ACLs, proceed to setting a full NT
ACL when we create the sysvol share.


Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba mailing list